Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Consent banner / consent management platform

consent-bannerDomain: data-privacyType: mixed

Description

A consent banner is the operational endpoint of the lawful-basis question for tracking that requires user opt-in: cookies, advertising pixels, analytics SDKs, third-party tags, and increasingly the server-side conversion APIs that route around traditional client-side tagging. The banner is what users see, but the regulator-facing artifact is the end-to-end pipeline that runs from banner-presented through choice-recorded through tag-behavior-conformed-to-choice through proof-the-pipeline-actually-blocks-when-it-should. Three layers have to line up for the pipeline to function. The surface presents the banner and preference center on first visit and on demand thereafter; the design choices here (banner placement, button equivalence between accept and reject, granularity of purpose categories) determine whether the resulting consent is freely given under GDPR Article 7 or under similar standards elsewhere, and dark-pattern enforcement actions (notably the CNIL Google and Facebook decisions in 2022 and the EDPB Cookie Banner Task Force conclusions in 2023) have closed off most of the friction-asymmetry options operators previously relied on. The categorization layer behind the banner identifies which cookies and tags are essential, which are functional, which are analytics, and which are advertising; this categorization is what determines whether the user opt-out actually means anything downstream, and misclassification (essential-labelling an advertising pixel, or rolling an analytics SDK into the functional bucket) is the most common substantive failure mode regulators have flagged. The tag-management plumbing respects the categorization downstream by gating tag-firing on consent state. The trade-off pressure across the design is between operator wanting maximum opt-in (more tracking data, more advertising revenue, easier attribution) and regulator wanting unambiguous opt-in with equally-easy opt-out; recent enforcement has aggressively closed the gap between these two by penalizing the design choices that biased toward opt-in. The statutory anchors converge on opt-in for non-essential tracking across the major jurisdictions but with material differences in the threshold and the granularity. GDPR Articles 6 and 7 plus ePrivacy Article 5(3) set EU opt-in for cookies-and-similar with the EDPB and CNIL guidance pulling toward unambiguous affirmative action. UK PECR Regulation 6 plus ICO guidance set the parallel UK regime. CCPA opt-out under Cal. Civ. Code §1798.120 plus the 11 CCR §7000 series govern California, with the Global Privacy Control signal handling now mandatory rather than optional and recent California AG enforcement targeting non-conformant GPC handling specifically. The US multistate privacy laws (Colorado, Connecticut, Delaware, Maryland, Montana, New Jersey, Oregon, Texas, Utah, Virginia) layer parallel opt-out rights with material variation on universal-opt-out-signal handling. LGPD Article 8 requires unambiguous consent with renewals on a reasonable cadence. PIPL, Saudi PDPL, UAE PDP, Korea PIPA, India DPDPA, Brazil Marco Civil, Indonesia PDP, Vietnam PDPD, Kenya DPA, Colombia 1581, Philippines DPA, Argentina PDPA, Mexico LFPDPPP, Thailand PDPA, KVKK, Singapore PDPA, and Japan APPI all set their own consent-collection regimes with their own renewal cadences and granularity expectations. The UK AADC Standard 9 layers child-specific consent obligations on top for under-18 users. Most consent-banner failures observed in enforcement come from the connection layer rather than the surface itself: a categorically opted-out user whose tags fire anyway because the integration was never wired up end-to-end.

Applicability

Applies when: markets include EU, UK, california, brazil, or canada.

How predicates are evaluated

Required by (37 regulations)

  • APPI

    Act on the Protection of Personal Information (Act No. 57 of 2003, as amended by Act No. 44 of 2020, effective April 1, 2022)

  • Argentina PDPA
  • BIPA

    740 ILCS 14/1 et seq.

  • Marco Civil

    Lei nº 12.965, de 23 de abril de 2014 (Marco Civil da Internet), regulated by Decreto nº 8.771, de 11 de maio de 2016

  • CA AADC

    Cal. Civ. Code §§1798.99.28-1798.99.40 (AB 2273, 2022)

  • CCPA/CPRA

    Opt-out rights (CCPA §1798.120) and Global Privacy Control signal handling.

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

  • Colombia 1581
  • CPA

    Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

  • CTDPA

    Conn. Gen. Stat. §§42-515 to 42-525

  • DE PDPA

    Del. Code Ann. tit. 6, ch. 12D

  • DPDPA

    Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

  • GDPR

    Articles 6 + 7 — consent as a lawful basis; ePrivacy Article 5(3) for cookies.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • IT Rules 2021

    Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, issued under the Information Technology Act, 2000 (Act No. 21 of 2000), as amended by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023

  • Indonesia PDP
  • Kenya DPA
  • LGPD

    Article 8 — consent must be unambiguous; renewals every reasonable period.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

  • MODPA

    Md. Code Ann., Com. Law §§14-4601 to 14-4616

  • LFPDPPP (superseded)
  • MCDPA

    Mont. Code Ann. §§30-14-2801 to 30-14-2817

  • NJDPA

    N.J. Stat. Ann. §§56:8-166 to 56:8-188

  • OCPA

    Or. Rev. Stat. §§646A.570 to 646A.604

  • Philippines DPA
  • PIPA

    Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

  • PIPL

    Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)

  • PDPL

    Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

  • Singapore PDPA
  • TDPSA

    Tex. Bus. & Com. Code §§541.001-541.205

  • Thailand PDPA
  • KVKK
  • UAE Data Protection Law
  • UK AADC

    Standard 9 — children’s data; UK PECR Reg. 6.

    Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)

  • UCPA

    Utah Code §§13-61-101 to 13-61-404

  • Vietnam PDPD
  • VCDPA

    Va. Code §§59.1-575 to 59.1-585

  • Washington MHMDA

    Captures the separate opt-in consent MHMDA requires before collecting consumer health data beyond what is necessary.

    Washington My Health My Data Act (HB 1155, 2023)

    Source →

  • Chile Law 19.628

    Chile's data-protection regime requires consent for processing personal data, supported by a consent mechanism.

    Ley N° 19.628 sobre Protección de la Vida Privada (1999); to be substantially superseded by Ley N° 21.719 (2024) effective 2026-12-01

    Source →

  • UK GDPR

    UK GDPR (with PECR) requires a lawful basis and a compliant consent mechanism for consent-based processing and cookies.

Fulfilled by (5)

  • onetrust · full · medium effort · $$
  • didomi · full · medium effort · $$
  • osano · full · low effort · $
  • transcend · full · medium effort · $$
  • In-house build · high effort
    Operating a compliant CMP in-house requires consent log retention, granularity, and re-prompt cadence work most teams underestimate.

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • consent log
  • CMP configuration screenshot
  • IAB TCF / Google Consent Mode integration receipt

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn